auparse question - Linux-audit - Linux-Audit List Archives

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

auparse question

new auparse question

Re: auparse question

LC Bruzenak

Tuesday, 30 August 2011 Tue, 30 Aug '11

4:12 p.m.

I'm using auparse_get_field_type from the parse lib. The return value for error is "0" which is also that of the AUDIT_PID field. Right? I am getting some errors that thought they were PIDs. Thx, LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

Reply

Show replies by date

Miloslav Trmac

Tuesday, 30 August Tue, 30 Aug

6:18 p.m.

----- Original Message -----

I'm using auparse_get_field_type from the parse lib. The return value for error is "0" which is also that of the AUDIT_PID field. Right? I am getting some errors that thought they were PIDs.

The return value of auparse_get_field_type() is a value from auparse_type_t defined in auparse-defs.h. 0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is no current field, or we don't know what kind of data is in the field"). AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are distinct. It is somewhat confusing I'm afraid. Mirek

Reply

Steve Grubb

Wednesday, 31 August Wed, 31 Aug

1:29 p.m.

On Tuesday, August 30, 2011 07:18:02 PM Miloslav Trmac wrote:

----- Original Message ----- > I'm using auparse_get_field_type from the parse lib. > The return value for error is "0" which is also that of the AUDIT_PID > field. > > Right? I am getting some errors that thought they were PIDs. The return value of auparse_get_field_type() is a value from auparse_type_t defined in auparse-defs.h.

Right. AUDIT_PID is an event record type which would be returned by auparse_get_type(). If you look in auparse.h, you can see the groupings of functions that access event level, record level, and field level components.

0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is no current field, or we don't know what kind of data is in the field").

Yes, but the intent of AUPARSE_TYPE_UNCLASSIFIED is to say that the field contains data that needs no special cross reference or conversion to be human readable (or as you say we don't know about the field). This is different from returning something to say that you are not pointed at a valid field - i.e. you ran off the end. From what I can tell, you can only get the error if you are moving the internal pointer around without checking return codes. There really is an unintended API mistake in there. :)

AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are distinct. It is somewhat confusing I'm afraid.

Maybe looking at the auparse.h file clarifies a few things since they are grouped? -Steve

Reply

Steve Grubb

11:49 a.m.

On Tuesday, August 30, 2011 05:12:17 PM LC Bruzenak wrote:

I'm using auparse_get_field_type from the parse lib. The return value for error is "0" which is also that of the AUDIT_PID field. Right? I am getting some errors that thought they were PIDs.

That does seem to be a mistake in the API. As a workaround for this, you can check for an error with auparse_get_record_text() == NULL. I suppose I could fix the problem going forward by making auparse_get_type() return -1 on error. -Steve

Reply

5029

days inactive

5030

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

LC Bruzenak
Miloslav Trmac
Steve Grubb